- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2023 09:23 PM
Hi Team,
I am trying to make my application as device owner app, I am trying to use QR code for provisioning. I am unable to acheive the result. When I scan the QR code which I have generated (Generated QR code without enrollment token) in a factory reset device I am getting an error stating " Couldn't set up your device, for help contact your IT admin. Could you please help me where I am going wrong.
when I tried getting Enrollment Token using AMAPI I am getting the following error
com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request
POST https://androidmanagement.googleapis.com/v1/enterprises/%7B573991258109%7D/enrollmentTokens
{
"code" : 400,
"errors" : [ {
"domain" : "global",
"message" : "Invalid enterprise id. Provide a valid id.",
"reason" : "badRequest"
} ],
"message" : "Invalid enterprise id. Provide a valid id.",
"status" : "INVALID_ARGUMENT"
}
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 10:47 PM
Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).
Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2023 11:16 PM - edited 12-19-2023 11:17 PM
Please provide an example QR code you used, it should look like this (example using Soti Mobicontrol as MDM, providing a Wifi):
{"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://soti.net/apk/ae2",
"android.app.extra.PROVISIONING_WIFI_SSID":"AnySSID",
"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA",
"android.app.extra.PROVISIONING_WIFI_PASSWORD":"password",
"android.app.extra.PROVISIONING_USE_MOBILE_DATA":true,
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollmentId":"IDorURL_used_for_enrollment",
"PROVISIONING_MODE":"MANAGED_PROFILE"
}
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 02:23 AM
Hello,
This is the sample Json format which Iam using to generate QR code
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "8:F9:D0:08:D9:82:B7:29:E2:7E:47:BB:BD:C2:EB:8D:BE:04:0F:C0:05", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "
https://android.eu-1.amazonaws.com/Android-V71-1623538246-024-aHR0cHM6C5hcHAvRGFzaGJvYXJkLw%3D%3D.ap...",
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 02:42 AM
You need this always:
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollmentId":"IDorURL_used_for_enrollment",
"PROVISIONING_MODE":"MANAGED_PROFILE"
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 09:27 PM
Is there any way to move to device owner without enrollment token?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 10:47 PM
Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).
Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 02:12 AM
HI,
To create an Enrollment token using Android Management Api, I am following this method
EnrollmentToken enrollment_token = androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();
In the above snippet the enterpriseID which I am using is the organization ID which I get in google console, and using it in this format
String enterpriseID =enterprises/{DUOsdy871}
.
but with this I am getting the following error
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.android.devicemanagement.v1.DeviceManagementService.ListEnterprises",
"service": "androidmanagement.googleapis.com"
}
}
]
}
}
what OAuth access Token it is expecting.
In Google cloud console I have created an OAuth credentials and downloaded one Json file. How to use it. what login it is expecting. Where am I going wrong? Please guide me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 03:25 AM
could you please suggest me one online QR generator tool?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 03:32 AM
If you mean one in general i prefer this: https://barcode.tec-it.com/en
If you mean an enrollment QR-Code generator I use only my own written one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 06:39 AM - edited 12-21-2023 06:39 AM
And just for your information, the extras are MDM related and can be different. @jasonbayton has some nice listing here: https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/#intune
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 09:29 PM
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "3OEI4RjlEMDA4QjcyOUUyN0U0N0JCQkRDMkVCOERCRTA0MEZDMDA1RjMyNDI1MNg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://Android-android-central-1.com/Android-V7.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{ds4VLNcI5FGVW0PcUVkKoqEbrOyGw_VqEUh1uhgM}"
}
}
Am I using in a correct format? please correct me if I am doing anything wrong here. What all I need to handle in my android application?
Signature checksum: I have encoded my SHA256 value (example: 85:78:B8:F9:D0:08:04:B9:A8:1A:D9) to URL safe using base64encode.
and the enrollment tokent : I generated using AMAPI
EnrollmentToken enrollment_token = androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 10:51 PM
I think you have to remove the { and } inside the enrollment token
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 11:02 PM
Even after removing that I am getting below error, when scanning QR code after Factory reset. Am I using the Checksum in the correct format?
is the SHA256 signature which I need to encode? and I am directly pasting the SHA256 value with " : " in base64encoder and encoding it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2023 11:20 PM
I don't know how/where checksum comes from but there are default ones for each MDM i think, so always the same if you use Intune for example (for any user/customer who uses Intune)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 12:38 AM
Your enterprise ID is incorrect, you should first use the enterprise endpoint to enroll your enterprise and create your enterprise on Google servers.
Then you use the ID of the enterprise returned by Google to use the other API endpoint to create your enrollment token and manage your devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 02:25 AM
Could you please share me any code snippet or relevant document for the same. It will really help me.
Thanks in Advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 02:31 AM
You can use this https://github.com/codybrookshear/android-deviceowner-kotlin to create your own device owner without using the Google Management API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2023 08:21 PM
I tried this, but it is not working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2023 01:59 AM
The enrollement token provided but the Google API are only valid when used with the Google Android Management API. If you plan to create your own device owner you don't need these token, just create your own app by following this guide https://developer.android.com/reference/android/app/admin/DevicePolicyManager and this blog article which details the process:
https://medium.com/@codybrookshear/creating-an-android-device-owner-app-in-2023-b7e7b9fb3aca
- Securing your Business: Checklist for Android device offboarding in Tips & guides
- QR Code provisioning in General discussions
- Deleting Third party app cache without device owner status - NotE that my app is signed by OEM in General discussions
- How to set 'forcedResetTime' field in Zero Touch provisioning in General discussions
- Provisioning dedicated device in General discussions